research-article

ReSC: An RFID-Enabled Solution for Defending IoT Supply Chain

Authors:
Kun Yang

University of Florida, Gainesville, FL

University of Florida, Gainesville, FL
View Profile

,
Domenic Forte

University of Florida, Gainesville, FL

University of Florida, Gainesville, FL
View Profile

,
Mark Tehranipoor

University of Florida, Gainesville, FL

University of Florida, Gainesville, FL
View Profile

ACM Transactions on Design Automation of Electronic Systems Volume 23 Issue 3Article No.: 29pp 1–27https://doi.org/10.1145/3174850

Published:01 February 2018Publication History

ACM Transactions on Design Automation of Electronic Systems

Abstract

The Internet of Things (IoT), an emerging global network of uniquely identifiable embedded computing devices within the existing Internet infrastructure, is transforming how we live and work by increasing the connectedness of people and things on a scale that was once unimaginable. In addition to facilitated information and service exchange between connected objects, enhanced computing power and analytic capabilities of individual objects, and increased interaction between objects and their environments, the IoT also raises new security and privacy challenges. Hardware trust across the IoT supply chain is the foundation of IoT security and privacy. Two major supply chain issues—disappearance/theft of authentic IoT devices and appearance of inauthentic ones—have to be addressed to secure the IoT supply chain and lay the foundation for further security and privacy-defensive measures. Comprehensive solutions that enable IoT device authentication and traceability across the entire supply chain (i.e., during distribution and after being provisioned) need to be established. Existing hardware, software, and network protection methods, however, do not address IoT supply chain issues. To mitigate this shortcoming, we propose an RFID-enabled solution called ReSC that aims at defending the IoT supply chain. By incorporating three techniques—one-to-one mapping between RFID tag identity and control chip identity; unique tag trace, which records tag provenance and history information; and neighborhood attestation of IoT devices—ReSC is resistant to split attacks (i.e., separating tag from product, swapping tags), counterfeit injection, product theft throughout the entire supply chain, device recycling, and illegal network service access (e.g., Internet, cable TV, online games, remote firmware updates). Simulations, theoretical analysis, and experimental results based on a printed circuit board (PCB) prototype demonstrate the effectiveness of ReSC. Finally, we evaluate the security of our proposed scheme against various attacks.

References

Ala Al-Fuqaha, Mohsen Guizani, Mehdi Mohammadi, Mohammed Aledhari, and Moussa Ayyash. 2015. Internet of things: A survey on enabling technologies, protocols, and applications. IEEE Communications Surveys 8 Tutorials 17, 4 (2015), 2347--237.Google Scholar
Luigi Atzori, Antonio Iera, and Giacomo Morabito. 2010. The internet of things: A survey. Computer Networks 54, 15 (2010), 2787--2805. Google ScholarDigital Library
Aydin Aysu, Shravya Gaddam, Harsha Mandadi, Carol Pinto, Luke Wegryn, and Patrick Schaumont. 2016. A design method for remote integrity checking of complex PCBs. In 2016 Design, Automation 8 Test in Europe Conference 8 Exhibition (DATE’16). IEEE, 1517--1522. Google ScholarDigital Library
Paramvir Bahl and Venkata N. Padmanabhan. 2000. RADAR: An in-building RF-based user location and tracking system. In Proceedings of the 19th Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings (INFOCOM’00). Vol. 2. IEEE, 775--784.Google Scholar
Carnegie Mellon University. 1982. The “Only” Coke Machine on the Internet. Retrieved from https://www.cs.cmu.edu/&sim;coke/history_long.txt?reposted_at=2015-09-8.Google Scholar
Hung-Yu Chien and Che-Hao Chen. 2007. Mutual authentication protocol for RFID conforming to EPC class 1 generation 2 standards. Computer Standards 8 Interfaces 29, 2 (2007), 254--259. Google ScholarDigital Library
Christopher Holmes. 2015. Designing and Implementing the Factory of the Future at Mahindra Vehicle Manufacturers. (April 2015). Retrieved from http://www.cisco.com/c/dam/en/us/solutions/collateral/industry-solutions/idc-manufacturing.pdf.Google Scholar
Tim Cicerchi. 2014. High-Capacity RFID Tags. Retrieved from http://blog.pepperl-fuchs.us/high-capacity-rfid-tags.Google Scholar
Cisco. 2014. How Cisco Transformed Its Supply Chain. (May 2014). Retrieved from http://www.cisco.com/c/en/us/solutions/collateral/enterprise/cisco-on-cisco/cs-boit-05272014-supply-chain.pdf.Google Scholar
John Coyle, C. Langley, Robert Novack, and Brian Gibson. 2012. Supply Chain Management: A Logistics Perspective. Cengage Learning.Google Scholar
Joan Daemen and Vincent Rijmen. 1999. AES proposal: Rijndael.Google Scholar
Art Dahnert. 2011. HawkEyes: An advanced IP geolocation approach: IP geolocation using semantic and measurement based techniques. In 2011 2nd Worldwide Cybersecurity Summit (WCS’11). IEEE, 1--3.Google Scholar
Tim Dierks. 2008. The transport layer security (TLS) protocol version 1.2. Retrieved from https://www.ietf.org/rfc/rfc5246.txt.Google Scholar
Ziqian Dong, Rohan D. W. Perera, Rajarathnam Chandramouli, and K. P. Subbalakshmi. 2012. Network measurement based modeling and optimization for IP geolocation. Computer Networks 56, 1 (2012), 85--98. Google ScholarDigital Library
Robin Doss, Wanlei Zhou, Saravanan Sundaresan, Shui Yu, and Longxiang Gao. 2012. A minimum disclosure approach to authentication and privacy in RFID systems. Computer Networks 56, 15 (2012), 3401--3416. Google ScholarDigital Library
Dave Evans. 2011. The internet of things: How the next evolution of the internet is changing everything. CISCO White Paper 1 (2011), 1--11.Google Scholar
FUJITSU. 2014. World’s Largest-Capacity 64KByte FRAM Metal Mount RFID Tag. Retrieved from http://www.fujitsu.com/downloads/AIT/ait-downloads-64kbtag.pdf.Google Scholar
Bamba Gueye, Artur Ziviani, Mark Crovella, and Serge Fdida. 2006. Constraint-based geolocation of internet hosts. Networking, IEEE/ACM Transactions on 14, 6 (2006), 1219--1232. Google ScholarDigital Library
Ujjwal Guin, Xuehui Zhang, Domenic Forte, and Mohammad Tehranipoor. 2014. Low-cost on-chip structures for combating die and IC recycling. In Proceedings of the 51st Annual Design Automation Conference. ACM, 1--6. Google ScholarDigital Library
JungHoon Ha, Sangjae Moon, Jianying Zhou, and Jaecheol Ha. 2008. A new formal proof model for RFID location privacy. In 2008 13th European Symposium on Research in Computer Security Computer Security (ESORICS’08). Springer, 267--281. Google ScholarDigital Library
Dirk Henrici and Paul Muller. 2004. Hash-based enhancement of location privacy for radio-frequency identification devices using varying identifiers. In Proceedings of the Second IEEE Annual Conference on Pervasive Computing and Communications Workshops, 2004. IEEE, 149--153. Google ScholarDigital Library
Daniel E. Holcomb, Wayne P. Burleson, and Kevin Fu. 2009. Power-up SRAM state as an identifying fingerprint and source of true random numbers. IEEE Transactions on Computers 58, 9 (2009), 1198--1210. Google ScholarDigital Library
Alison Hosey, Md. Tauhidur Rahman, Kan Xiao, Domenic Forte, and Mohammad Tehranipoor. 2014. Advanced analysis of cell stability for reliable SRAM PUFs. In 2014 IEEE 23rd Asian Test Symposium (ATS’14). IEEE, 348--353. Google ScholarDigital Library
Ling Hu and Cyrus Shahabi. 2010. Privacy assurance in mobile sensing networks: Go beyond trusted servers. In 2010 8th IEEE International Conference on Pervasive Computing and Communications Workshops (PERCOM Workshops’10). IEEE, 613--619.Google Scholar
EPCglobal Inc. 2015. EPC Radio-Frequency Identity Protocols Generation-2 UHF RFID Protocol for Communications at 860 MHz - 960 MHz Version 2.0.1. Retrieved from https://www.gs1.org/sites/default/files/docs/epc/Gen2_Protocol_Standard.pdf.Google Scholar
Yuval Ishai, Manoj Prabhakaran, Amit Sahai, and David Wagner. 2006. Private circuits II: Keeping secrets in tamperable circuits. In Advances in Cryptology (EUROCRYPT’06). Springer, 308--327. Google ScholarDigital Library
Don Johnson, Alfred Menezes, and Scott Vanstone. 2001. The elliptic curve digital signature algorithm (ECDSA). International Journal of Information Security 1, 1 (2001), 36--63. Google ScholarDigital Library
Arun Kanuparthi, Ramesh Karri, and Sateesh Addepalli. 2013. Hardware and embedded security in the context of internet of things. In Proceedings of the 2013 ACM Workshop on Security, Privacy 8 Dependability for Cyber Vehicles. ACM, 61--64. Google ScholarDigital Library
Jonathan Katz and Yehuda Lindell. 2014. Introduction to Modern Cryptography. CRC Press. Google ScholarDigital Library
Ethan Katz-Bassett, John P. John, Arvind Krishnamurthy, David Wetherall, Thomas Anderson, and Yatin Chawathe. 2006. Towards IP geolocation using delay and topology measurements. In Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement. ACM, 71--84. Google ScholarDigital Library
Kerry Bernstein. 2014. Supply Chain Hardware Integrity for Electronics Defense (SHIELD). (March 2014). Retrieved from http://www.darpa.mil/program/supply-chain-hardware-integrity-for-electronics-defense.Google Scholar
Farinaz Koushanfar and Ramesh Karri. 2014. Can the SHIELD protect our integrated circuits? In 2014 IEEE 57th International Midwest Symposium on Circuits and Systems (MWSCAS’14). IEEE, 350--353.Google ScholarCross Ref
Eduard Kovacs. 2015. Attackers Use Stolen Credentials to Hack Cisco Networking Devices. (August 2015). Retrieved from http://www.securityweek.com/attackers-use-stolen-credentials-hack-cisco-networking-devices.Google Scholar
Hugo Krawczyk, Ran Canetti, and Mihir Bellare. 1997. HMAC: Keyed-hashing for message authentication.Google Scholar
Mikko Lehtonen, Daniel Ostojic, Alexander Ilic, and Florian Michahelles. 2009. Securing RFID systems by detecting tag cloning. In Pervasive Computing. Springer, 291--308. Google ScholarDigital Library
James A. Muir and Paul C. Van Oorschot. 2009. Internet geolocation: Evasion and counterevasion. ACM Computing Surveys (CSUR) 42, 1 (2009), 4. Google ScholarDigital Library
NXP Semiconductors. 2014. I2C Bus Specification and User Manual. (April). Retrieved from https://www.nxp.com/docs/en/user-guide/UM10204.pdf.Google Scholar
Venkata N. Padmanabhan and Lakshminarayanan Subramanian. 2001. An investigation of geographic mapping techniques for internet hosts. In ACM SIGCOMM Computer Communication Review, Vol. 31. ACM, 173--185. Google ScholarDigital Library
Adrian Perrig, John Stankovic, and David Wagner. 2004. Security in wireless sensor networks. Communications of the ACM 47, 6 (2004), 53--57. Google ScholarDigital Library
Proofpoint. 2014. Proofpoint Uncovers Internet of Things (IoT) Cyberattack. (January). Retrieved from http://investors.proofpoint.com/releasedetail.cfm?releaseid=819799.Google Scholar
Jeyavijayan Rajendran, Garrett S. Rose, Ramesh Karri, and Miodrag Potkonjak. 2012. Nano-PPUF: A memristor-based security primitive. In 2012 IEEE Computer Society Annual Symposium on VLSI (ISVLSI’12). IEEE, 84--87. Google ScholarDigital Library
Shahid Raza, Linus Wallgren, and Thiemo Voigt. 2013. SVELTE: Real-time intrusion detection in the internet of things. Ad Hoc Networks 11, 8 (2013), 2661--2674. Google ScholarDigital Library
Donald G. Robinson, Michael W. Geatz, and Michael J. Corcoran. 1996. Retail theft prevention and information device. (Dec. 31 1996). US Patent 5,589,820.Google Scholar
Rodrigo Roman, Jianying Zhou, and Javier Lopez. 2013. On the features and challenges of security and privacy in distributed internet of things. Computer Networks 57, 10 (2013), 2266--2279. Google ScholarDigital Library
Steven Shannon. 2001. Access control of networked data. (May 15, 2001). US Patent 6,233,618.Google Scholar
G. Edward Suh and Srinivas Devadas. 2007. Physical unclonable functions for device authentication and secret key generation. In Proceedings of the 44th Annual Design Automation Conference. ACM, 9--14. Google ScholarDigital Library
Berk Sunar, William J. Martin, and Douglas R. Stinson. 2007. A provably secure true random number generator with built-in tolerance to active attacks. IEEE Transactions on Computers 56, 1 (2007), 109--119. Google ScholarDigital Library
Mohammad Tehranipoor and Farinaz Koushanfar. 2010. A survey of hardware trojan taxonomy and detection. IEEE Design 8 Test of Computers 27, 1 (2010), 10--25. Google ScholarDigital Library
John Paul Walters, Zhengqiang Liang, Weisong Shi, and Vipin Chaudhary. 2007. Wireless sensor network security: A survey. Security in Distributed, Grid, Mobile, and Pervasive Computing 1 (2007), 367.Google Scholar
Chonggang Wang, Mahmoud Daneshmand, Kazem Sohraby, and Bo Li. 2009. Performance analysis of RFID generation-2 protocol. IEEE Transactions on Wireless Communications 8, 5 (2009), 2592--2601. Google ScholarDigital Library
K. Xiao, D. Forte, Y. Jin, R. Karri, S. Bhunia, and M. Tehranipoor. 2016. Hardware trojans: Lessons learned after one decade of research. ACM Transactions on Design Automation of Electronic Systems (TODAES) 22, 1 (2016), 6. Google ScholarDigital Library
Kan Xiao, Domenic Forte, and Mohammad Tehranipoor. 2014. A novel built-in self-authentication technique to prevent inserting hardware Trojans. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 33, 12 (2014), 1778--1791.Google ScholarCross Ref
Bo Yang, Kaijie Wu, and Ramesh Karri. 2004. Scan based side channel attack on dedicated hardware implementations of data encryption standard. In Proceedings of the International Test Conference, 2004 (ITC’04). IEEE, 339--344. Google ScholarDigital Library
Jeongkyu Yang, Jaemin Park, Hyunrok Lee, Kui Ren, and Kwangjo Kim. 2005. Mutual authentication protocol. In Workshop on RFID and Lightweight Crypto.Google Scholar
Kun Yang, Domenic Forte, and Mark Tehranipoor. 2015. ReSC: RFID-enabled supply chain management and traceability for network devices. In Radio Frequency Identification: 11th International Workshop (RFIDsec’15), Revised Selected Papers, Vol. 9440. Springer, 32. Google ScholarDigital Library
Lei Yang, Yekui Chen, Xiang-Yang Li, Chaowei Xiao, Mo Li, and Yunhao Liu. 2014. Tagoram: Real-time tracking of mobile RFID tags to high precision using COTS devices. In Proceedings of the 20th Annual International Conference on Mobile Computing and Networking. ACM, 237--248. Google ScholarDigital Library
Ning Ye, Yan Zhu, Ru-Chuan Wang, Reza Malekian, and Lin Qiao-min. 2014. An efficient authentication and access control scheme for perception layer of internet of things. Applied Mathematics 8 Information Sciences 8, 4 (2014), 1617.Google Scholar
Shucheng Yu, Kui Ren, and Wenjing Lou. 2007. A privacy-preserving lightweight authentication protocol for low-cost RFID tags. In IEEE Military Communications Conference (MILCOM’07). IEEE, 1--7.Google ScholarCross Ref
Davide Zanetti, Srdjan Capkun, and Ari Juels. 2013. Tailing RFID tags for clone detection. In NDSS.Google Scholar
David Zanetti, Leo Fellmann, and Srdjan Capkun. 2010. Privacy-preserving clone detection for RFID-enabled supply chains. In 2010 IEEE International Conference on RFID. IEEE, 37--44.Google ScholarCross Ref
Tobias Zillner and Sebastian Strobl. 2015. Zigbee exploited - The good, the bad and the ugly. In Black Hat USA 2015.Google Scholar

Index Terms

ReSC: An RFID-Enabled Solution for Defending IoT Supply Chain
1. Security and privacy
  1. Security in hardware
    1. Hardware security implementation

Recommendations

CDTA: A Comprehensive Solution for Counterfeit Detection, Traceability, and Authentication in the IoT Supply Chain

The Internet of Things (IoT) is transforming the way we live and work by increasing the connectedness of people and things on a scale that was once unimaginable. However, the vulnerabilities in the IoT supply chain have raised serious concerns about the ...
Read More
Protecting Endpoint Devices in IoT Supply Chain
ICCAD '15: Proceedings of the IEEE/ACM International Conference on Computer-Aided Design

The Internet of Things (IoT), an emerging global network of uniquely identifiable embedded computing devices within the existing Internet infrastructure, is transforming how we live and work by increasing the connectedness of people and things on a ...
Read More
Session-based security enhancement of RFID systems for emerging open-loop applications

Radio frequency identification (RFID) is an important technique used for automatic identification and data capture. In recent years, low-cost RFID tags have been used in many open-loop applications beyond supply chain management, such as the tagging of ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Transactions on Design Automation of Electronic Systems Volume 23, Issue 3
May 2018
341 pages
ISSN:1084-4309
EISSN:1557-7309
DOI:10.1145/3184476
Editor:
Naehyuck Chang
Korea Advanced Institute of Science and Technology, Korea
Issue’s Table of Contents
Copyright © 2018 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States

Journal Family
ACM Journals for the Design of Smart and Connected Systems
Publication History
- Published: 1 February 2018
- Accepted: 1 December 2017
- Revised: 1 July 2017
- Received: 1 March 2017
Published in todaes Volume 23, Issue 3

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Internet of things (IoT)
Radio frequency identification (RFID)
authentication
supply chain security
traceability
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 11
  Total Citations
  View Citations
- 827
  Total Downloads
- Downloads (Last 12 months)47
- Downloads (Last 6 weeks)6
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

ReSC: An RFID-Enabled Solution for Defending IoT Supply Chain

ACM Transactions on Design Automation of Electronic Systems

Abstract

References

Cited By

Index Terms

Recommendations

CDTA: A Comprehensive Solution for Counterfeit Detection, Traceability, and Authentication in the IoT Supply Chain

Protecting Endpoint Devices in IoT Supply Chain

Session-based security enhancement of RFID systems for emerging open-loop applications